Is it time to change your Spotify password? A list containing Spotify account details for hundreds of users was posted online this week, sparking fears that the music streaming giant may have been hacked. According to TechCrunch, the Spotify account details (including passwords, usernames, and other details) showed up on Pastebin early this week, but Spotify continues to deny that it has been hacked.
“User records are secure,” a Spotify representative told TechCrunch just hours after hundreds of Spotify usernames and passwords were posted online.
Many Spotify users suspected their accounts may have been compromised after reporting suspicious activity – recently played songs including tracks users had never heard of, for instance. Early reports of the leaked Spotify accounts have spread, causing commentators to question just how these details were acquired and by whom.
“It’s unclear, then, where these particular account details were acquired, given that they are specific to Spotify rather than a set of generic credentials that just happen to work on Spotify,” wrote Sarah Perez for TechCrunch, who broke the story on Monday.
Spotify got hacked today y’all. Change your password and come over to Apple Music.
— Zac Johnson (@ZacJJohnson) April 26, 2016
TechCrunch reached out to some of the individuals whose information was leaked yesterday, and many reported strange activity on their accounts.
“I suspected my account had been hacked last week as I saw ‘recently played’ songs that I’d never listened to, so I changed my password and logged out of all devices,” said one of the Spotify users.
Experts are advising caution after the suspected data breach and advising users to change their passwords just in case, reports Digital Spy. Similarly, Spotify might be correct, they may not have been hacked – this time at least. The Spotify account details posted online yesterday might have been part of an earlier data breach.
“Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords,” Spotify said in a statement.
Spotify may not have been hacked, but the fact remains that hundreds of user accounts were compromised, usernames and passwords were posted on Pastebin, and that information came from somewhere. It may have come from an as-yet undisclosed Spotify data breach or, as TechCrunch suggests, the user information could very well have been circulating all this time from an earlier Spotify hack.
Spotify denies user details hacked after passwords show up online https://t.co/mAtv3cpTmi #Infosec
— C. Bryan Ivey – IBM (@bryan_ivey) April 26, 2016
Spotify admitted it had been compromised back in 2014, but another incident occurred in 2015, which Spotify flatly denies. In another incident, over a thousand email addresses and passwords were leaked after Spotify may have been hacked in November 2015. Newsweek reports that the hack compromised more than a thousand Spotify accounts, however, Spotify responded to the earlier hack with the exact same words used today.
“Spotify has not been hacked and our user records are secure,” reads a statement from Spotify back in 2015.
Spotify users, victims of the earlier hack, were shocked to find out their usernames and passwords were leaked and posted online. Spotify worked with customers who were affected but never informed them that their information was part of a large-scale doxing attack.
“I honestly had no idea this was a problem affecting multiple users. The messaging from Spotify appeared to imply mine was an individual case,” said a victim of the 2015 ‘hack,’ speaking with Newsweek.
Back in 2015 when Newsweek first ran their coverage of the earlier Spotify hack, Spotify’s statements were almost identical, alleging that users are to blame for using their login credentials for multiple services.
“Many people use the same credentials for multiple services and we urge anyone who things his or her information was compromised to change passwords. We regularly look for leaks on other services and match account names with our own so we can adviser users to change passwords that may have been compromised,” said Spotify regarding the 2015 hack.